This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.
Sunday 27 November 2016
Tuesday 22 November 2016
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.
The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.
Monday 21 November 2016
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Sunday 20 November 2016
A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.
Saturday 19 November 2016
A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Friday 18 November 2016
shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:
Option –suffix allows you to instruct the program to add a suffix to the VBA function names.
Sunday 23 October 2016
This new version of virustotal-search.py accepts input from stdin.
Saturday 22 October 2016
I added dumps to this new version of cut-bytes.py:
Monday 17 October 2016
This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.
Friday 14 October 2016
There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.